Money Matters

But moving beyond today's generally fragmented, inconsistent approach to security won't be easyor fully achievable.
In many ways, says Brian Jenkins, a security expert and senior adviser to the president of the RAND Corp., better security, like improvements in quality, must be an ongoing effort that involves finding the right mix of risk management principles and companywide security policies, IT security, technology initiatives, marketing, education and training. And the effort has to be baked into business processes from the start, not hardwired onto them as an afterthought that will slow productivity, stifle necessary transparency between factory and suppliers or sacrifice worker creativity to policies that might promote excessive monitoring.

What's wrong with our current management efforts? If the torrent of recent security studies, polls and research papers on corporate information security are any guide, the picture isn't encouraging. In 2003, 75 percent of security executives acknowledged financial losses from security breaches, but only 47 percent could quantify the losses to researchers at the Computer Security Institute and the FBI. Some 40 percent of top IT executives surveyed in July by CIO Insight say they've had to cancel plans to reduce security risks after getting complaints from business managers. Some 19 percent of IT workers surveyed by Sophos Corp., an antivirus firm, say they install software patches for security holes "whenever they can get to it" rather than as part of an ongoing procedure that analyzes which patches are most important at any given time to the company's current business priorities.

And if that isn't discouraging enough, a new survey by the Information Technology Association of America, a technology trade group based in Arlington, Va., shows that 65 percent of American workers say their coworkers don't care about cyber security and 46 percent say they have no formal training in information security practices.

What to do? Many analysts, including Gartner's Witty, argue that a different mindset about the IT security problem within the corporation is required. Witty sees a "huge alignment gap" in many firms between IT security people and business risk managers. This, in turn, has led to a situation where few firms today are able to tie information security threats to a specific business vulnerabilitya critical piece of knowledge that's missing when companies are deciding how and where to make the most of their security dollars.

At Bank of America, for example, keeping better pace with critical software patches and strategically choosing which to use was not the priority it should have been when the Slammer worm hit. "The need for more effective patch management isn't always correlated strongly enough into what-ifs for many businesses," says BofA's MacLean.

No surprise, says Christopher Klaus, CTO of Atlanta-based Internet Security Systems Inc: "When you total how much it would cost to roll out security patches rigorously in a Fortune 1,000 environment, the result could easily be more than $20 million. Say it takes four hours to install each patch and make sure the applications still work. Say you're paying someone $80 an hour to do this and it costs $320 to patch that one machine and you have 1,000 servers in your environment. That's now $320,000. Multiply that by a conservative estimate of five as the number of Microsoft and Linux and Cisco and Oracle patches each month, multiply that again by 12 months, and it's about $20 million." Most, Klaus says, would not even try due to sheer cost and manpower considerations. And according to a recent CERT report, many system administrators don't install all the security patches issued "because they don't know how, do not have the resources, do not maintain all of the computers or have computer users who will not let them."

Here, again, is where having a more holistic and effective security strategy might have made it clear, even to the part-time programmer in the IT shop, that it's not all or nothing, but more about knowing which patches to install first and which to forget about entirely. "The beauty of a holistic, overarching approach to security is that once you clarify the business values, goals and priorities of what people do and how they do their jobs, you don't get people making decisions on their own anymore that might conflict with what's important to the business," says Joseph Duffy, partner and global leader of PricewaterhouseCoopers' global security practice.

Indeed, a company fully re-engineered for security might even have someone from HR creating compensation incentives to reward IT staff for diligence during spikes in the number of patches being issued. "You could have some sort of contest with bonus points tied to workspeed in some of these situations," Duffy says, depending on what your most critical business goals are.

But these sorts of flexible judgments will also require new types of leadership, MIT workplace expert and IT professor Thomas Malone suggests, and new types of worker-management relationships that enable speedier decision-making. Says BofA's MacLean: "Your security strategy has got to be about the people in the boardroom as much as the programmers in the IT shop, as well as the manager on the road with a company laptop. If we're not thinking this way about how we do business now, then security problems are going to rise up and bite us. Companies simply can't afford not to know what their most important security threats are and what their policies are for dealing with them, at every level of the corporation." Says security expert Bruce Schneier, author, cryptographer and CTO of Counterpane Internet Security Inc: "Without a more intelligent approach to security, we're making ourselves sitting ducks and our customers fools."

The point isn't lost on Motorola. CISO Boni's re-engineering strategy, which he began developing in the days after Sept. 11, assumes a number of basic trade-offs, and his goal is to continue defining them as conditions and culture permit. "When you're dealing with IT operations in 64 countries around the planet with over 100,000 employees and a quarter million or so network connected devices and so forth, absolute bullet-proof prevention is an unrealized objective," says Boni. For the past two years, he has worked to help the company better define how these trade-offs can be made, and has assigned 12 members of his 40-member security staff to work with the company's individual business unit, to make sure these priorities see the light of day.

Boni is the first to acknowledge it's been a cultural struggle. "People are too smart and are not going to do something just because they were ordered to by some corporate person," he says. "You've got to get their hearts and minds behind the new directions, behind the notion of control."

The crown jewel of Boni's program is awareness and trainingan often under-rated, maligned part of security strategy. It includes social re-engineering, training of all employees in security policies, philosophies and execution, and a framework for penalties and rewards. Boni's goal: to provide, by the end of 2004, in-person or online training sessions that would give what he calls "foundational grounding" in all security and privacy policies and practices to each of Motorola's 100,000 employees, and then add incentives for achieving goals in execution.

Boni acknowledges it's a huge task and that compliance might not be 100 percent, at least not at firstif ever. "It's a big project, but by building the framework and creating the content and putting it into production, we are going to have an impact on the overall awareness and compliance with the standards," Boni says. "No question this has to be a holistic approach that involves changes at every level of the organization."

Compliance with security policies is a huge problem for most firms, surveys show. A joint study by Novell Worldwide Services, Stanford University and Hong Kong University of Science and Technology, for example, says that 8 out of 10 times, passwords are written on the back of a person's business card. Further, 43 percent of companies take more than two days before they cut off computer network access to people who have left the firm, while 15 percent take more than two weeks. Booz Allen Hamilton says many IT security policies are not followed, or even fully understood. "If you don't have a culture where security has been a priority, it's tough to build one," says RAND's Jenkins.

Just ask Jeff Nigriny, the CSO of Exostar LLC, an electronic marketplace for the defense industry. Nigriny gets so frustrated with employees' refusal to follow even basic security policies, he resorts on occasion to sending silly or embarrassing broadcast e-mails to coworkers, under the names of people who keep their machines open when leaving their desks at night to go homejust to force a change in behavior and convince people he means business. It's workedto some extent. Nigriny reports a more than 90 percent drop in the number of machines left unattended at any given time.

At Avaya Inc., a $5 billion Basking Ridge, N.J., communications network provider, all security policies are under the purview of one cross-functional security team that includes business, legal, HR, IT, real estate, PR, environmental and risk representatives. "The discussions can get lively at times," as members hammer out new trade-offs in the push to weave security into Avaya's business fabric, acknowledges Marene Allison, the company's director of global security. One of the early compromises: minimum change in external physical security at the company, though guard contracts, for example, were changed and there is a new emphasis on emergency response training. "In this case, we wanted to have the ability to secure our environment, but we wanted our facilities to remain welcoming to employees and visitors," she says. "We didn't want to convey the idea that security had to be a negative thing from the start."

Allison says Avaya has been able to reduce costs and increase employee compliance with its new security policies because it now has a single security initiative, versus dozens of ongoing efforts. "Having a single point of accountability for security and a clear understanding of how it fits into the business has not only improved employee compliance with the new set of security rules, it has also eased negotiations with insurance underwriters," says Diane Askwyth, Avaya's risk manager.

But Allison says her work is just beginning. The push to re-engineer has made it clear that new forms of leadership are required, she says, not only for companies to make better concessions day-to-day between convenience and caution, cost and business efficiency, but to help employees and customers cope with the new climate of caution.

But if regulators, underwriters and hackers aren't enough to trigger a re-engineering drive at a company, its customers may, ultimately, be the final drivers of change. Don't think it could happen? Guess again. Last winter, a teenage computer programmer trying to buy a pair of jeans online from clothing retailer Guess.com decided to test the system's security before trusting it to take his credit card. In went an SQL injection attacka well-known Web commerce vulnerabilityand out came 200,000 customer names and credit card numbers. Not only did the information spill out easily, it was in clear text rather than the encrypted format Guess.com had promised in its privacy policy. Miffed, the teenager reported the apparel company to the Federal Trade Commission. On June 18, the FTC ordered the company to "implement a comprehensive information security program for Guess.com and its other Web sites." Says Howard Beales, director of the FTC's Bureau of Consumer Protection: "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that. It's not just good business, it's the law." Edward Amoroso, the CISO of AT&T, predicts: "We're going to see more customer activism as generations born with the Internet come of consumer age." To be sure, he says, "security has migrated out of the CIO's office and become an industry issue. As it relates to the pure corporate environment, most definitely, the focus today is indeed all about re-engineering."

But will many more companies step up to the re-engineering challenge? For Boni, MacLean and others now working on the front lines for change, those who move faster will have the ultimate advantage. "Without a more deeply ingrained, holistic approach to security," says MacLean, "the bad guys are going to keep winning."